One click—and the meeting writes itself. Microsoft Teams, Zoom, Webex—almost every video conferencing platform today offers an integrated transcription feature. The result is a comprehensive transcript, automatically generated with speaker attribution and timestamps. What is technically convenient is legally more complex than many companies assume. This is because the transcription of video conferences involves two areas of law with different requirements. While data protection law is obvious, criminal law must also be considered when dealing with transcription.
This article outlines the relevant legal risks, summarizes how supervisory authorities have already responded, and sets out the legal conditions under which transcriptions can be used.
What happens technically during transcription—and why it matters legally
Before diving into the legal details, it is worth taking a brief look at how modern transcription systems work. Contrary to a common assumption, automated speech recognition does not mean that an AI simply “listens” and writes down what is said in real time.
In practice, the acoustic signal is first captured digitally, divided into very short time segments, and converted into data streams. These segments are analyzed, typically transformed into characteristic acoustic features, and then processed using statistical or neural models to reconstruct text. Not every sound is translated directly into a word; rather, spoken language is converted into coherent text. Fillers such as “uh” and “hmm” are removed, and incomplete sentences are completed. To enable this processing, the audio signal must at least temporarily be stored, buffered, or held in a structured format.
This intermediate storage typically goes beyond purely transient RAM processing in the sense of mere “pass-through.” Even so-called live or real-time transcriptions temporarily store, segment, or preprocess audio data. This applies even if no permanently retrievable audio file is ultimately intended to be stored.
This technical aspect is legally decisive. A hypothetical live transcript without any form of storage or intermediate storage would be assessed differently from the technical standard used by common transcription tools. Anyone who overlooks or underestimates this distinction risks making incorrect assumptions about whether and to what extent processing—particularly of personal data—takes place, and thus applying the wrong legal standard.
Data protection law: personal data, legal bases, and the pitfalls of consent
Transcriptions generally process personal data within the meaning of Article 4(2) GDPR. This includes not only explicit identifiers such as names or email addresses, but also the content of spoken contributions. If transcription tools also assign or identify speakers, the voice itself may be processed as personal data.
As soon as transcription software assigns voices to individuals, the question arises whether biometric data within the meaning of Article 4(14) GDPR is being processed and whether the stricter requirements of Article 9 GDPR apply. The Bavarian Data Protection Authority (BayLDA) takes a differentiated view:
“The processing of voice in the context of transcription generally does not constitute processing of special categories of personal data under Article 9 GDPR. Although the voice is biometric data within the meaning of Article 4(14) GDPR, it is typically not used for the unique identification of a natural person in transcription. Speaker separation is generally carried out using so-called voice embeddings—numerical vectors—and external contextual information such as the user account or active microphone input, without requiring identification of the speaker.” (15th Activity Report 2025, p. 56)
The key factor is therefore whether the voice is actually used to identify a person. If not, no special categories of personal data are processed under Article 9 GDPR. If it is, stricter data protection requirements apply.
For the processing of non-sensitive personal data in transcription, the following legal bases may be considered: consent under Article 6(1)(a) GDPR, performance of a contract under (b), and legitimate interests under (f).
At first glance, consent appears to be the most obvious solution. In practice, however, it often fails in corporate contexts. Under Article 7 GDPR, consent must be freely given, informed, specific, and unambiguous. In employment relationships, voluntariness is frequently questioned, especially if the employer mandates or effectively expects transcription. Simply remaining in a meeting after a pop-up appears and clicking “agree” does not constitute informed consent under data protection law. Moreover, such provider pop-ups generally do not meet the information requirements of Article 13 GDPR. In addition, consent can be withdrawn at any time. If a participant objects during a meeting, transcription must stop, which significantly undermines its documentation purpose.
The key question: Is it possible without explicit consent?
Performance of a contract under Article 6(1)(b) GDPR is not applicable in most internal meetings. Transcription is generally not strictly necessary for fulfilling an employment contract. Given the structural issues with consent, the practically relevant question arises: Can legitimate interest under Article 6(1)(f) GDPR serve as a legal basis for transcribing internal meetings?
The answer is: yes—but not universally; only under specific conditions.
Article 6(1)(f) GDPR requires a three-step test: first, a legitimate interest of the controller; second, necessity of processing to pursue that interest; and third, that the data subject’s interests do not override it.
For internal meetings without sensitive content—such as project check-ins, team coordination, or internal status updates—this test can be satisfied if properly structured. The legitimate interest in efficient documentation and traceable records is economically recognized. Less intrusive means with comparable effectiveness are hardly available. Manual minutes lack both the completeness and efficiency of automated transcription. On the other side of the balancing test is the participants’ personality rights, particularly their right to the spoken word. This weight can be significantly reduced if processing is limited to clearly defined documentation purposes, no profiling or behavioral monitoring takes place, and participants are clearly informed in advance and have a genuine option not to participate or to join in an alternative format.
However, processing based on Article 6(1)(f) GDPR is generally not appropriate for individual HR meetings, disciplinary hearings, job interviews, or meetings where special categories of personal data are discussed. In such cases, the interests of the data subjects prevail.
Criminal law: Section 201 German Criminal Code and the confidentiality of speech
In addition to data protection law, Section 201 of the German Criminal Code (StGB) must be observed. This provision protects the confidentiality of non-public spoken words and criminalizes their unauthorized recording.
At first glance, one might assume that transcription does not constitute a “recording on a medium.” However, this assumption is technically inaccurate and legally risky. Because most standard tools buffer audio signals, spoken words are technically captured, meaning the scope of Section 201(1) No. 1 StGB is generally triggered.
The requirements for valid consent are significantly lower under criminal law than under data protection law. According to prevailing opinion—and as explicitly stated by the Baden-Württemberg Data Protection Authority (LfDI BW, 40th Activity Report 2024, p. 135)—implicit or implied consent is sufficient for criminal law purposes. However, this only applies if individuals are transparently informed beforehand and then knowingly participate in the meeting.
A decision by the German Federal Constitutional Court dated July 9, 2025 (1 BvR 975/25) is also noteworthy. The Court implicitly confirmed that the term “unauthorized” in Section 201 StGB must be interpreted in light of the entire legal system. What is permissible under data protection law cannot be prohibited under criminal law. Thus, a valid data protection legal basis can also serve as a justification under criminal law. However, this requires that the data protection basis is actually valid—if consent is invalid due to lack of transparency or voluntariness, if transcription is not necessary for contractual purposes, if the balancing test is flawed, or if privacy notices fail to specify legitimate interests, the justification falls away and criminal liability may arise.
What supervisory authorities say
German data protection authorities have increasingly addressed this issue due to its practical relevance, though not uniformly:
- The Bavarian Data Protection Authority (BayLDA), in its 2025 report, recognizes that transcription can be based on Article 6(1)(f) GDPR for documenting meeting results, emphasizing purpose limitation and proportionality.
- The Baden-Württemberg authority (LfDI BW) also recognizes legitimate interest but highlights the criminal law dimension and recommends informing participants in the meeting invitation.
- The Saxon Data Protection Authority takes a more restrictive view, generally rejecting Article 6(1)(f) GDPR for call recordings due to lack of necessity and overriding confidentiality interests.
Thus, authorities are not aligned. The BayLDA’s 2025 position provides the most recent and business-friendly guidance—but it is not a free pass and requires a genuine balancing test.
Practical approaches
To use transcription as legally safely as possible, companies should consider the following minimum standards:
- Inform participants in advance about the transcription, its purpose, duration, and recipients—ideally in the calendar invitation.
- Document the balancing test if relying on legitimate interest.
- Conclude a data processing agreement with the tool provider (Article 28 GDPR).
- Record transcription as a separate processing activity (Article 30 GDPR).
- Define appropriate retention periods and delete data when no longer needed.
- Conduct a data protection impact assessment where necessary (Article 35 GDPR) and at least document a preliminary threshold assessment.
- Involve the works council where applicable (§ 87(1)(6) BetrVG).
- Differentiate between meeting types—HR and highly confidential meetings should not be transcribed.
AI-based transcription is not a legal no-go—but neither is it a legal “no brainer”. A “standard installation” without legal preparation can create avoidable risks. However, with careful planning, transparency, and clear boundaries, companies can benefit from efficiency gains while significantly reducing data protection and criminal law risks. Recent guidance shows that legitimate interest is no longer merely theoretical, but a partially recognized legal basis.
We would be happy to advise you on the specific requirements in your company and develop a tailored transcription strategy together.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
